# create an os server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os_control_stg:os_control:os_nodes_stg:os_masters_stg:os_nodes:os_masters"

- name: make the box be real
  hosts: os_control:os_control_stg:os_masters_stg:os_nodes_stg:os_masters:os_nodes
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
    - base
    - rkhunter
    - nagios_client
    - hosts
    - { role: openvpn/client, when: env != "staging" }
    - ipa/client
    - rsyncd
    - sudo

  tasks:
    - name: put openshift repo on os- systems
      template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
      tags:
      - config
      - packages
      - yumrepos

    - name: Deploy controller public ssh keys to osbs cluster hosts
      authorized_key:
        user: root
        key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}"

    - name: copy docker-storage-setup config
      copy:
        src: "{{files}}/osbs/docker-storage-setup"
        dest:  "/etc/sysconfig/docker-storage-setup"

    - name: install redhat ca file
      package:
         name: subscription-manager-rhsm-certificates
         state: present

    - import_tasks: "{{ tasks_path }}/yumrepos.yml"
    - import_tasks: "{{ tasks_path }}/motd.yml"

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

- name: OSBS control hosts pre-req setup
  hosts: os_control:os_control_stg
  tags:
    - os-cluster-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: fix hosts file
      copy:
        src: "{{roles_path}}/hosts/files/os-hosts"
        dest: "/etc/hosts"
        owner: root
        mode: 0644

    - name: deploy private key to control hosts
      copy:
        src: "{{private}}/files/os/{{env}}/control_key"
        dest: "/root/.ssh/id_rsa"
        owner: root
        mode: 0600

    - name: set ansible to use pipelining
      ini_file:
        dest: /etc/ansible/ansible.cfg
        section: ssh_connection
        option: pipelining
        value: "True"

    - name: Install htpasswd (used in installs)
      package: name=httpd-tools state=present

    - name: Install java (used in installs)
      package: name=java-1.8.0-openjdk-headless state=present

    - name: Install python-passlib (used in installs)
      package: name=python-passlib state=present

- name: Pre tasks for master/nodes
  hosts: os_masters_stg:os_masters
  tags:
    - os-cluster-deploy
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:

    - name: make sure the directory for the link is there.
      file: path=/etc/origin/master state=directory mode=0755

    - name: setup link to known ca list for id.fedoraproject.org
      file: state=link src=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem dest=/etc/origin/master/fedoraidp_openid_ca.crt

- name: Deploy OpenShift cluster
  hosts: os_control:os_control_stg
  tags:
    - os-cluster-deploy
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory-stg",
        openshift_release: "v3.11",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
        openshift_ansible_version: "openshift-ansible-3.11.216-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: true,
        openshift_ansible_containerized_deploy: false,
        openshift_cluster_masters_group: "os_masters_stg",
        openshift_cluster_nodes_group: "os_nodes_stg",
        openshift_cluster_infra_group: "os_nodes_stg",
        openshift_auth_profile: "fedoraidp-stg",
        openshift_master_ha: true,
        openshift_debug_level: 1,
        openshift_deployment_type: "openshift-enterprise",
        openshift_cluster_url: "{{ os_url}}",
        openshift_app_subdomain: "{{ os_app_url }}",
        openshift_internal_cluster_url: "os-masters{{ env_suffix }}.iad2.fedoraproject.org",
        openshift_api_port: 443,
        openshift_console_port: 443,
        openshift_shared_infra: true,
        openshift_ansible_use_crio: true,
        openshift_ansible_crio_only: false,
        when: env == 'staging',
        tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
      }
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory",
        openshift_release: "v3.11",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
        openshift_ansible_version: "openshift-ansible-3.11.216-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: true,
        openshift_ansible_containerized_deploy: false,
        openshift_cluster_masters_group: "os_masters",
        openshift_cluster_nodes_group: "os_nodes",
        openshift_cluster_infra_group: "os_nodes",
        openshift_auth_profile: "fedoraidp",
        openshift_master_ha: true,
        openshift_debug_level: 1,
        openshift_deployment_type: "openshift-enterprise",
        openshift_cluster_url: "{{ os_url}}",
        openshift_app_subdomain: "{{ os_app_url }}",
        openshift_internal_cluster_url: "os-masters{{ env_suffix }}.iad2.fedoraproject.org",
        openshift_api_port: 443,
        openshift_console_port: 443,
        openshift_shared_infra: true,
        openshift_ansible_use_crio: true,
        openshift_ansible_crio_only: false,
        when: env != 'staging' and datacenter == 'iad2',
        tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
    }

- name: Post-Install setup
  hosts: os_stg:os
  tags:
    - os-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
      tags:
      - iptables

- name: Post-Install master setup
  hosts: os_masters_stg:os_masters
  tags:
    - os-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: Disallow users from provisioning
      command: oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
      changed_when: false
      register: command_result
      failed_when: "' removed:' not in command_result.stdout and 'unable to find target' not in command_result.stderr"
      run_once: True
    - name: Allow some users cluster admin
      command: oadm policy add-cluster-role-to-user cluster-admin {{item}}
      with_items:
      - puiterwijk
      - kevin
      - codeblock
      - smooge
      - mobrien
      changed_when: false
    - name: Set all app owners to have cluster-monitoring-view
      command: oadm policy add-cluster-role-to-user cluster-monitoring-view {{item}}
      with_items:
      - abompard
      - asaleh
      - bowlofeggs
      - cverna
      - dcallagh
      - dustymabe
      - gnaponie
      - jlebon
      - lholecek
      - lucab
      - misc
      - mizdebsk
      - mjia
      - mohanboddu
      - pingou
      - ralph
      - sanja
      - siddharthvipul1
      - walters
      - zlopez
      changed_when: false
    - name: Enable wildcard routes
      command: oc -n default set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true
      changed_when: false


- name: Add a cleanup cron job to the nodes
  hosts: os_nodes_stg:os_nodes
  tags:
    - os-node-cleanup
  tasks:
  - name: Ensure a job that runs every Mondays to clean old docker images from the nodes.
    cron:
      name: "remove docker dangling images"
      weekday: "1"
      minute: "0"
      hour: "0"
      job: "docker rmi $(docker images --filter dangling=true -q)"
      state: present
